Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery.
This issue affects Organization chart: from n/a through 1.7.5.
AnalysisAI
Cross-Site Request Forgery in WpDevArt's Organization Chart WordPress plugin (all versions through 1.7.5) enables remote unauthenticated attackers to perform unauthorized state-changing actions against the plugin by tricking an authenticated WordPress user into interacting with a crafted request. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that while no authentication or elevated complexity is required on the attacker's side, exploitation is gated by mandatory victim interaction, limiting realistic impact to integrity modifications only. No public exploit code exists and no active exploitation has been identified; EPSS score of 0.01% (3rd percentile) and SSVC exploitation status of 'none' collectively indicate low real-world threat at time of analysis.
Technical ContextAI
The affected component is the WpDevArt Organization Chart WordPress plugin, identified by CPE cpe:2.3:a:wpdevart:organization_chart:*:*:*:*:*:*:*:* across all versions up to and including 1.7.5. The root cause is CWE-352 (Cross-Site Request Forgery), a class of vulnerability arising when a web application fails to verify that HTTP requests originate from the authenticated user's own session - typically due to absent or improperly validated WordPress nonces or CSRF tokens on plugin admin endpoints. In the WordPress context, this commonly affects AJAX handlers or form submission endpoints that modify plugin-managed data (such as organization chart structures) without confirming request legitimacy. An attacker can exploit this by embedding a forged HTTP request in an external resource that a logged-in user is socially engineered to load.
RemediationAI
The primary remediation is to update the WpDevArt Organization Chart plugin beyond version 1.7.5; however, an exact patched release version is not confirmed in the available data - site operators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/organization-chart/vulnerability/wordpress-organization-chart-plugin-1-7-5-cross-site-request-forgery-csrf-vulnerability for the latest fixed release. As a compensating control where patching is not immediately possible, administrators can restrict access to the WordPress admin dashboard using IP allowlisting (e.g., via .htaccess or server-level firewall rules), which eliminates the attack surface by preventing forged requests from unauthorized origins from reaching authenticated sessions. Additionally, enforcing strict Content Security Policy headers and SameSite=Strict cookie attributes at the server or WAF layer can block cross-origin request submission, though this may require application-level testing to avoid breaking legitimate functionality. Disabling the plugin entirely until a patched version is confirmed available is also a low-risk option given the plugin's non-critical nature.
More in Organization Chart
View allCross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart <= 1.4.4 versions. Rated high severity (C
The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31742
GHSA-q9c3-882w-3gm6